While many small businesses rely on Microsoft 365 as their default software because of its flexibility and scalability, the seemingly endless, persistent threat of cyberattacks on email security suggests that its security standards must be revised.
My opinion on the issue is not unique. Google recently released a paper directly challenging Microsoft over recent security lapses, suggesting enterprises and public sector organizations need a more secure alternative. According to a report from IT Pro, Microsoft continues suffering “security gaffes.”
In its paper, Google said Microsoft has “inadequate security culture,” as identified in an investigation by the US Cyber Security Review Board (CSRB). Why are these accusations relevant?
In my role at a global cybersecurity vendor, we’ve analyzed billions of emails worldwide. Emails are the preferred vehicle of cybercriminals. Thus, because of the opportunity, email-delivered malware remains a favorite vector for attack. Email attacks increased by more than 275% between January and December 2023.
During our most recent email threat assessment, which analyzed more than 1.8 billion emails, we found that in email phishing campaigns, 75% of emails leverage links, 24% favor attachments, and 1% use QR codes. In Q1, VIPRE AV Labs analysis revealed that 75% of phishing emails leverage links, 24% favor attachments, and 1% use QR codes (squishing). This aligns with our findings that phishers are leaning into emails encouraging users to update or change their passwords – an innocuous enough ask in a data privacy and hygiene climate. Microsoft is a vector used for this purpose.
Microsoft remains the most spoofed brand, and this quarter was no different. And why not? Investing.com notes that Microsoft users increased by 894% in 2020, and four of five Fortune 500 companies use Microsoft Office 365. It’s a safe bet for scammers, and given its level of brand consciousness, it’s been easily manipulated.
Because of this, SMEs must continue to layer advanced email threat protection on top of the standard security offered by Microsoft to overcome some of the software’s inherent limitations and help combat phishing attacks, spoofing, and security breaches. Microsoft Office remains among the top targets for cybercriminals, with daily attacks increasing by 53% in 2023, according to VIPRE research.
Google notes that it mainly focused on the Summer 2023 Microsoft Exchange Online Intrusion that saw Chinese-affiliated threat actors known as Storm-0558 accessing the email accounts of top US Government officials. Google pointed to another cyber incident just a few months later, in which a Russian-linked threat group – Midnight Blizzard – compromised a series of Microsoft’s corporate email accounts, including those of senior leaders and their security and legal teams.
Multi-level security packages
Microsoft offers various security packages for Microsoft 365 and Office 365, ranging from E1 and E3 to E5, the most comprehensive yet expensive option. Enterprises often adopt a mix of these packages based on employees’ roles, seeking to balance functionality with expenditure.
This, however, is how the security vulnerabilities are introduced. For example, higher-level subscriptions, such as E5, provide advanced security features crucial for VIP users or those handling sensitive data. Unfortunately, these options still don’t stop the most advanced threats or threats targeted at Microsoft gaps/vulnerabilities. Lower-tier licenses lack some critical protections against impersonation and zero-day threats. Criminals exploit these gaps, knowing enterprises prioritize cost savings through license selection.
Likewise, lower-tier Microsoft subscriptions can need more advanced threat visibility tools, like advanced analytics and deep issue investigation capabilities. A mix-and-match approach can lead to gaps in visibility, which can impact crucial investigation and response times.
Microsoft portal misconfigurations
The Microsoft security portal is a hub of data collected from many repositories, databases, virtual machines, endpoints, and other conduits. This is important for email security because maintaining its integrity can be challenging when correctly configured.
Extrapolating this, consider Link Protection (or Safe Links). Safe Links is a Microsoft scanning tool designed to protect organizations from malicious links used in phishing and other attacks. According to Microsoft, it “provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps.”
However, the solution comes with its challenges. The functionality must be enabled in multiple places across the Microsoft portal, but as Microsoft routinely updates the platform, the settings can be altered, moved, or disabled. Thus, apart from the risks this can create for organizations, security teams are not always made aware that this functionality is disabled. Tracing these disconnections can be an unnecessary and time-consuming task. Instead, SMEs are better served by deploying a dedicated advanced threat protection security platform to enhance Microsoft 365, which becomes necessary for email security.
Problematic static security intelligence
Another potentially significant flaw in Microsoft’s approach is that it uses third-party security intelligence feeds, which can delay the connection between its intelligence feed and security on the updated platform. While the reasoning for this could span multiple papers, it is because Microsoft is a complex beast of a machine, and its security updates must be deployed across the entire platform. Also, email security is only one part of the overall security capability, so it may only sometimes be addressed as a priority. An untended threat for even one or two days can cause a successful zero-day attack.
One solution to mitigate this challenge is Link Isolation. Link Isolation helps protect against unknown zero-day threats by rendering malicious URLs in emails and their associated web pages harmless.
Similarly, sandboxing capability is necessary to check for malicious attachments, where the suspicious file is isolated in a ‘sandbox’ — i.e., a virtual machine in the cloud. This allows the security team to investigate the potential threat, understand the attack pattern, and gain deep insight into the incident, such as what keys have been touched, when the process started, what network connections have been made, and so on. By adopting this approach, enterprises have live, real-time monitoring and intelligence, enabling pre-emptive action.
Security is a minor component of Microsoft’s overall solution
It isn’t fair to say that Microsoft is not focused on security. Microsoft undoubtedly is a great system, but it isn’t a dedicated security provider and not a specialist email security provider. Historically, the company’s efforts have focused on productivity or operational systems.
Microsoft has segued into security as an additional product layer, but security is not its forte. It is undeniably better to implement an extra layer of security on top of any operations system to cover the limited capacity these solutions provide when ticking their boxes. When such measures are taken, a final critical step is providing security training to internal human resources.
Security awareness training for cultivating a cybersecurity culture
No matter how advanced security technology gets, user security risk awareness and vigilance are indispensable. More than routine, periodic security training, the ability to engage with users is more effective. Immediately informing a user why an email/link/attachment has been blocked and the signs that display why the item might be malicious is more likely to stick in their memory.
However, security awareness training alone falls short. We must motivate internal teams to change their behavior. Whether it’s accidental or malicious insider activity, the successful implementation of technical controls, or the likelihood of individuals reporting security incidents, all these aspects are intricately linked to cybersecurity culture.
In today’s digital landscape, employees are an essential line of defense for every organization. Therefore, fostering awareness within organizations is instrumental in mitigating malicious and non-malicious activities. The more people are aware of cybersecurity principles, the more likely it is that malicious activities will be identified before causing harm to organizations and individuals.
Organizations must invest in comprehensive security awareness programs that empower individuals to become proactive defenders of cybersecurity and overcome the barriers brought on by a lack of awareness (like relying on unsatisfactory systems to protect and keep an organization safe without additional, robust protocols in place).
So, what can SMEs do? While many SMEs may need help affording the top license package for the whole organization or hiring IT resources to help address the limitations in-house, they can utilize the services of third-party security service providers, who are experts in email security. This has been proven to be the most cost-effective and reliable approach.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
